#######################################################################
Luigi Auriemma
Application: Wonderware Archestra SuiteLink
http://www.wonderware.com
Versions: current (it should be 59.x)
the _Grow crash has been confirmed on versions 51.5 and
older while the resource consumption is valid for all the
versions
Platforms: Windows
Bug: Resources consumption (Denial of Service in older
versions)
Exploitation: remote
Date: 11 May 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Suitelink is a protocol used to allow various components of different
vendors (GE, Siemens, the same Wonderware and so on) to communicate
and exchange data through a central server running the slssvc service.
Additional info by other vendors:
"SuiteLink supports data properties (VTQ) for Value, Time Stamp and
Quality which are especially important for alarming, historical
archiving and SCADA applications."
#######################################################################
======
2) Bug
======
UPDATE 13 May 2012:
Added additional information about the effects on different versions,
indeed the _Grow crash was tested on a previous version released in
2010 (version 51) and I have been able to test a more recent version
only today.
Note that version 51.5.0.0 is still distribuited in the current
Historian and FsGateway products available on Intouch 10.5.
The slssvc service can receive packets of any size containing very long
unicode strings.
These strings are duplicated various time consuming lot of resources
(like memory) and CPU for some time making the whole system slow and
almost impossible to use.
Instead in versions released before 2011 like 51.5.0.0 (if there is
the "_Grow" string inside the executable, it's vulnerable) the slssvc
service can be crashed remotely due to a long and unallocable unicode
string when calling _Grow().
The following code comes from the function that handles
"guid + number + unicode string" but it's possible that this bug can
be exploited in other places where it's necessary to allocate space
for duplicating other strings:
00404BE2 |. 57 PUSH EDI ; /s
00404BE3 |. 8816 MOV BYTE PTR DS:[ESI],DL ; |
00404BE5 |. 895E 04 MOV DWORD PTR DS:[ESI+4],EBX ; |
00404BE8 |. 895E 08 MOV DWORD PTR DS:[ESI+8],EBX ; |
00404BEB |. 895E 0C MOV DWORD PTR DS:[ESI+C],EBX ; |
00404BEE |. FF15 30714000 CALL DWORD PTR DS:[] ; \wcslen
00404BF4 |. 83C4 04 ADD ESP,4
00404BF7 |. 8BF8 MOV EDI,EAX
00404BF9 |. 8BCE MOV ECX,ESI
00404BFB |. 6A 01 PUSH 1
00404BFD |. 57 PUSH EDI
00404BFE |. FF15 E4704000 CALL DWORD PTR DS:[; MSVCP60.?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
...
0034F761 C640 FF 00 MOV BYTE PTR DS:[EAX-1],0 ; EAX is 2
In the most recent versions like 56.x the crash isn't reached because
that part of code has been modified and _Grow is no longer used in the
software, the vendor opted for a classical "basic_string" allocator.
Obviously the resources consumption problem affects all the versions.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/suitelink_1.zip
PoC updated to test the vulnerability infinitely.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################